SSH MITM deep inspection
As vulnerabilities of OpenSSH continue to be exposed, it has become necessary to detect such attacks, which requires the ability to decrypt the SSH tunnel to check the data. This feature introduces comprehensive security controls on SSH Man-in-the-Middle (MITM) deep inspections, including:
- SSH filter profiles to control SSH tunnel types and filtering on SSH shell commands. l SSH proxy policies to apply a proxy firewall policy with user authentication on SSH session.
- Support for SSH tunnel policy to perform access control for TCP/IP port forwarding traffic that is tunneled through the SSH proxy. IPS scanning can be applied to the tunneled traffic. l Support for SSH trust to detect and prevent SSH MITM attacks.
SSH MITM deep
Syntax
- Add SSH related option in ssl-ssh-profile for proxy mode profile
- Add option to bypass or block unsupported SSH protocol (Deep scan only supports SSH 2.0)
config firewall ssl-ssh-profile edit <name> config ssh set unsupported-version {bypass | block}
next
end
end
- Add option to enable SSH proxy policy check
config firewall ssl-ssh-profile edit <name> config ssh set ssh-policy-check {enable | disable} set ssh-tun-policy-check {enable | disable}
next
end
end
- Move block/log options for x11-filter/ssh-shell/exec/port-forward to SSH filter profile
- SSH filter profile
- Support options to block or log x11-filter/ssh-shell/exec/port-forward/sftp
config ssh-filter profile edit <name> set block {x11-filter | ssh-shell | exec | port-forward | sftp} set log {x11-filter | ssh-shell | exec | port-forward | sftp}
next
end
- Add Shell command filters
config ssh-filter profile edit <name> config shell-commands edit <id>
set type {simple | regex} set pattern <cmd-string> set action {block | allow} set log {enable | disable} set alert {enable | disable} set severity {low | medium | high | critical} next
end
set default-command-log {enable | disable} end
SSH MITM deep inspection
- Allow SSH filter profile to be set for config firewall policy when UTM is enabled.
- Support SSH proxy policy for SSH sessions
- Add a proxy type ssh into config firewall proxy-policy
config firewall proxy-policy edit <pol-id> set proxy ssh
next
end
- When user/user-group is set in SSH proxy policy, firewall authentication can be done for SSH proxy traffic. Authentication rule for SSH is added:
config authentication rule edit <name> set protocol ssh
next end
- “Basic” authentication scheme:
config authentication scheme edit “ssh-active” set method basic
set user-database “local” #or LDAP server
next
- “ssh-publickey” authentication scheme:
config authentication scheme edit “ssh-pkey” set method ssh-publickey
set user-database “local” #or LDAP server set ssh-ca “server-ca”
next
User name is embedded in ssh-publickey. User group information will be retrieved if the publickey is validated by CA.
- Both “Basic” and “ssh-publickey” authentication scheme:
config authentication scheme edit “ssh-pkey” set method basic ssh-publickey set user-database “local” #or LDAP server set ssh-ca “server-ca” next
- Support SSH tunnel policy to do access control for TCP/IP port forwarding traffic.
- Add a proxy type ssh-tunnel into config firewall proxy-policy
config firewall proxy-policy edit <pol-id> set proxy ssh-tunnel set action {accept | deny}
next
end
- Support allow or deny and IPS sensor/app-control the traffic.
- Support SSH trust to detect and prevent from SSH MITM attacks
SSH MITM deep
- Define trusted SSH hostkey for specific SSH server
config firewall ssh host-key edit <name> set status {trusted | revoked} set type {RSA | DSS | ECDSA} set nid <NID of ECDSA key> set ip <ip> set port <port> set hostname <name> set public-key <hostkey>
next
end
- Define trusted/untrusted CAs for hostkey signing. Any hostkey signed by trust CA is trusted unless the hostkey is revoked.
config firewall ssh local-ca edit <name> set password <passwd> set public-key <public key> set private-key <private key> set source {build-in | user}
next
end
The system creates two build-in SSH CAs: Fortinet_SSH_CA and Fortinet_SSH_CA_ Untrusted. The CAs are used to re-sign a server host key with local host-key using trusted/untrusted CA when the server host key is trusted or untrusted.
- Define local hostkey templates for trusted re-signing. Be default, they are generated automatically.
config firewall ssh local-key edit <name> set password <passwd> set public-key <public key> set private-key <private key> set source {build-in | user}
next end
- The system creates different types of local host keys as default re-signing templates: Fortinet_SSH_RSA2048, Fortinet_SSH_DSA1024, Fortinet_ SSH_ECDSA256, Fortinet_SSH_ECDSA384, Fortinet_SSH_ECDSA512, Fortinet_SSH_ED25519, Fortinet_SSH_RSA1024.
- Admin can load their own local host keys and use them for MITM re-signing in config firewall ssh setting.
- Per-VDOM SSH settings
config firewall ssh setting set caname <trusted-ca> set untrusted-caname <untrusted-ca> set hostkey-rsa <hostkey-rsa> set hostkey-dss <hostkey-dss> set hostkey-ecdsa256 <hostkey-ecdsa256>
SSL server table for SSL offloading
set hostkey-ecdsa384 <hostkey-ecdsa384> set ed25519-key <ed25519-key> set host-trusted-check {enable | disble} end
- When a hostkey is trusted and signed by a CA, SSH proxy re-signs appropriate type of hostkey using trusted CA.
- When a host is trusted but not signed, SSH proxy sends back appropriate type of hostkey.
- When a hostkey is untrusted and signed by a CA, SSH proxy re-signs a temporary hostkey (1 hour life time) using untrused CA.
- When a host is trusted but not signed, SSH proxy sends back a temporary hostkey (one hour life time).
SSL server table for SSL offloading
An SSL server table can now be used for SSL offloading. This feature was introduced with the release of FortiOS
5.4.0.
CLI Syntax
config firewall ssl-ssh-profile edit <name> set use-ssl-server {enable|disable}
next end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!